Her researchers Palo Alto NetworksUnit 42 they discovered a new one Phishing campaign, which includes sending the email containing it documents, password protected access, as well as one νόμιμο tool remote access. The goal is gaining access to networks of the victims.
The phishing campaign started in January and uses several techniques violating victims' systems and gaining remote access to networks.
Victims receive phishing emails including a password-protected document. The message states that the password is set for protection of confidentiality data which includes the document. Most of the emails relate to refunds, online transactions, and invoices.
Ο code access is included in the phishing email.
Unlocking the document allows it to enabling macros and executes commands necessary for its subsequent stages attack. The hackers they use PowerShell to install one remote access tool and other mechanisms that will allow them to stay in the system.
The tool installed is NetSupport Manager, one νόμιμο software remote access often used in IT support.
However, if used by malicious people hackers can allow it information theft or it can help make a more risky and long-term plan. For example, it could be used by attackers for tracking the incoming and outgoing emails of the victim. That way, the attackers get information and for others users. They can then carry out other phishing attacks targeting other people.
The bad thing is that antivirus software cannot locate NetSupport Manager as malicious, because it's a legal product.
The researchers have not yet discovered the ultimate purpose of this phishing campaign. However, once macros are required, The IT administrators can protect users by disabling macros by default. In addition, users should be very careful with the emails they receive, especially if they come from unknown sources.